[cabfpub] Application for SHA-1 Issuance
Erwann Abalea
Erwann.Abalea at docusign.com
Thu Jul 28 08:33:33 UTC 2016
Bonjour Rick,
As said, in the first set of 8 tested objects, these are really the tbsCertificate first proposed (with the magical dust in OU).
But in the second set of 7 tested objects, these are in fact the complete certificates (the original ones), and not the tbsCertificate proposed to replace them (with the same key and name, but different serial number and dates).
—
[…]
[stevens TSYS2]$ time ../detectcoll_allDVs *.der
sha1 f75716390925b752b403a7bbf6acb349de9d8d09 ssl1.tsys.1.txt.der
[…]
—
The displayed SHA1 hash is identical with the one of the certificate found at https://crt.sh/?id=12924024, on which the proposed tbsCertificate is based.
A perfectly understandable mistake.
Cordialement,
Erwann Abalea
Le 28 juil. 2016 à 00:08, Rick Andrews <Rick_Andrews at symantec.com<mailto:Rick_Andrews at symantec.com>> a écrit :
Erwann,
Marc Stevens said "certs" but he meant "TBSCertificates". We didn't sign
certificates; we published TBSCertificates.
-Rick
--------------------------
From: Erwann Abalea <eabalea at gmail.com<mailto:eabalea at gmail.com>>
Date: July 27, 2016 at 12:41:27 PM GMT-5
To: Dean Coclin <Dean_Coclin at symantec.com<mailto:Dean_Coclin at symantec.com>>
Subject: Re: [cabfpub] Application for SHA-1 Issuance
He tested the full certificates of the second set, not their tbs, in fact.
Le mercredi 27 juillet 2016, Dean Coclin <Dean_Coclin at symantec.com<mailto:Dean_Coclin at symantec.com>> a
écrit :
I saw an email from Marc Stevens on the Mozilla list a few days ago which
indicated he tested both the original set of TBS certs and the 2nd set and
did not see any issues.
(See:
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/sku5NYXd
pOM)
Are there other questions that folks would like to ask or concerns that can
be addressed?
Symantec is awaiting approval from browsers to schedule the signing ceremony
this weekend if possible.
Thanks,
Dean
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ryan Sleevi
Sent: Monday, July 25, 2016 4:26 PM
To: Rob Stradling <rob.stradling at comodo.com>
Cc: Dean Coclin <Dean_Coclin at symantec.com>; CABFPub <public at cabforum.org>
Subject: Re: [cabfpub] Application for SHA-1 Issuance
On Mon, Jul 25, 2016 at 2:20 PM, Rob Stradling <rob.stradling at comodo.com>
wrote:
IINM, both Gerv and Ryan indicated (or at least strongly implied) that
rigid construction was a prerequisite for their (Mozilla's and Google's)
approval of TSYS's request. Did I misread something?
>From https://cabforum.org/pipermail/public/2016-July/008096.html
"Certificates whose contents are entirely predictable or in line with
precedent would also be acceptable; but it seemed like there were
several questions about that floating around, and doing the serial
numbers by strict construction makes them all moot. If you want to try
dealing with all the questions about the contents instead, you are
welcome to try."
Also, I don't see the relevance of "strong consensus". AIUI, there must
be unanimous agreement. If just one root program operator rejects
TSYS's request, then you can't issue the SHA-1 certs. Similarly, if
just one root program operator says rigidly constructed serial numbers
are required, then you can't use random serial numbers.
--
Erwann.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160728/1709f89d/attachment-0003.html>
More information about the Public
mailing list